07734 Qbot – The Calculator Episode

10739450863?profile=RESIZE_400xThe Qbot malware was first discovered in 2008 and it has been used for a variety of purposes. It boasts a couple of prolific campaigns in recent years, particularly in 2020, but recent events indicate that it might have a slightly different coat of paint. We’ll begin our exploration here with a little bit of history on the Qbot malware, but from there we will move on to discussing DLL usage manipulation in Windows. In particular, we’ll go over a little bit about DLL side-loading: what it is, how it works, and how this technique relates to Qbot and the recently discovered attack by security researcher ProxyLife. From there, we will move on to describing the infection chain of this Qbot attack. That is, how the Qbot malware comes to be on one’s system and how it operates. To finish up, we’ll refresh everyone on some common mitigation techniques for avoiding infection and compromise from a malware like Qbot. Let’s begin with a bit of history.

Qbot, otherwise known as Qakbot or Pinkslipbot, was discovered in 2008. The cybercriminal threat group, Gold Lagoon, is typically credited as being the operating force behind it and it is under constant development. It has been described as a “Swiss Army knife” in terms of its capabilities, and this is due to its modular framework. It began as a banking trojan with the intent on stealing financial data, but it can also be used for other purposes such as credential stealing, keylogging, interception and manipulation of web traffic, and even remote access. Most recently, the security researcher ProxyLife discovered that Qbot can also be found abusing older versions of the Microsoft Windows calculator executable to perform attacks. This is achieved through a DLL side-loading method, which is conducive to obfuscating the malware in legitimate executables. That is the aspect of the Qbot malware that we’ll be discussing shortly. It is also worth mentioning here that Qbot is frequently distributed through spam campaigns. In fact, two large spam campaigns from 2020 are attributed to Qbot, with an updated version of the malware appearing around August of that year. In the Malwarebytes 2020 State of Malware report, Qbot was listed as #9 on the top ten list of threats to private companies. Tt also made the list for CheckPoint’s top ten list of most wanted malware in August 2020.

The mechanism for this recently discovered attack takes advantage of how dynamic link libraries work in Windows. In other words, malicious payloads are included in spoofed versions of legitimate DLL files. Depending on the implementation, this can be described in a couple of different ways. One way is known as DLL search order hijacking, which is a process by which an attacker plants a compromised DLL within the search order of a program. From there, the application being run is what executes the payload. This is possible because it is often the case that applications do not explicitly state a direct path in which to find DLLs. In such cases, the system reverts to searching for the DLL, beginning with the directory containing the application. A slightly different implementation of this is known as DLL side-loading, which indicates that the malicious DLL files are also packaged with legitimate executables. Doing things this way can help avoid any potential issues with trying to hijack the search order of a program. The distinction between the two methods is important in this case because this Qbot malware package has the Windows 7 version of the calculator included. This version of the calculator is included because this DLL side-loading method will not work with versions in Windows 10 or later.

The initial infection for Qbot will typically begin from an email spam campaign spreading an HTML file. Opening this HTML file places a password protected ZIP file in the user’s downloaded folder. From there, the opened HTML will inform the user that the file needs to be opened and it will show the password for the ZIP file in a misleading fashion, such as masquerading as a legitimate Adobe webpage and pretending that the downloaded file is a legitimate PDF file. Then, unpacking the ZIP file reveals a conspicuously named ISO file, which if mounted, will show a shortcut file. This shortcut file will be linked to the included calculator executable, which will execute quietly and utilize the included DLL files instead of those already on the system due to their location.

In terms of mitigating the threat of this type of infection, the recommendations are not too different from the norm. That is, users should seek to avoid opening emails, links, or associated attachments from unknown or irrelevant senders. In the case of this Qbot attack, the infection chain relies upon users expecting to receive a file or at least believing that the file came from a legitimate source. Similarly, users should also avoid downloading software from unverified sources. Next, users should aim to use strong passwords, multifactor authentication, and routinely change passwords. The general timeline for how often one should change a password falls between 30 and 90 days. For more advanced techniques, it could be useful to block access to URLs that can be used to spread malware, for example, torrent sites or warez urls. Then, for organizations it could be prudent to enable data loss prevention systems, or DLP, on users' systems.

In summary, Qbot was first discovered in 2008 and it has been used for a variety of purposes such as for stealing financial data or credentials, keylogging, or manipulating web traffic. A recent discovery indicates that it is now attempting to utilize a DLL side-loading technique to infect systems, which involves executing code on users’ systems through the manipulation of how dynamic link libraries work in Windows. The general infection chain for this attack involves obtaining an HTML file from a spam email, which then directs users to open multiple files. This process then leads to a hidden Windows 7 calculator executable being ran, utilizing DLL files containing malicious code, thereby infecting the system. Then, some common mitigation techniques for avoiding this type of attack include maintaining a strong password policy and using multifactor authentication, avoiding emails from unknown sources, avoiding downloads from suspicious websites, or ensuring the data loss prevention software is used on organizational systems.

[1]: https://blog.cyble.com/2022/07/21/qakbot-resurfaces-with-new-playbook/
[2]: https://www.bleepingcomputer.com/news/security/qbot-phishing-uses-windows-calculator-sideloading-to-infect-devices/
[3]: https://attack.mitre.org/techniques/T1574/002/
[4]: https://docs.microsoft.com/en-us/windows/win32/dlls/dynamic-link-library-search-order
[5]: https://www.cisa.gov/sites/default/files/publications/202010221030_QakBot%20TLPWHITE.pdf
[6]: https://www.secureworks.com/research/threat-profiles/gold-lagoon
[7]: https://www.mandiant.com/resources/dll-side-loading-a-thorn-in-the-side-of-the-anti-virus-industry

Red Sky Alliance is a Cyber Threat Analysis and Intelligence Service organization that offers technical reports like this from our friends at Microsoft. For questions, comments, or assistance, please contact the office directly at 1-844-492-7225 or feedback@wapacklabs.com

Weekly Cyber Intelligence Briefings:

• Reporting: https://www.redskyalliance.org/
• Website: https://www.wapacklabs.com/
• LinkedIn: https://www.linkedin.com/company/64265941

REDSHORTS - Weekly Cyber Intelligence Briefings:




E-mail me when people leave their comments –

You need to be a member of Red Sky Alliance to add comments!

Join Red Sky Alliance